Updating a DNSSEC config to use a different algorithm
matthijs at isc.org
Mon Feb 1 14:14:53 UTC 2021
Depends on what your DNSSEC configuration is. Are you using
dnssec-signzone/named? auto-dnssec maintain? inline-signing?
Yes there are a lot of ways to maintain DNSSEC in BIND. The recommended
way forward is to use dnssec-policy. Migrating to it may still be a bit
tricky*, but once you use it, changing a new signing algorithm is pretty
1. Update your dnssec-policy, reload config.
2. Wait a little bit.
3. When the new DS is in the parent, run "rndc dnssec -checkds published
on the right key id."
4. Also run "rndc dnssec -checkds withdrawn" on the id of the key that
has its DS removed from the parent.
5. Have a celebratory drink.
Algorithm rollover with dnssec-policy will gracefully transition to the
keys with the new algorithms, so during the rollover period you should
see your zone being signed with two algorithms.
*In principal you can just switch to dnssec-policy with your existing
key files and BIND will initialize key state files for those keys. But
there is at least one known bug that deleted keys may be used again for
signing (those deleted keys still have their key files in the key
directory). [GL #2406]
On 01-02-2021 14:40, @lbutlr wrote:
> I've been using alg-7 for DNS, but that is no longer recommended. How difficult is it to change the signing algorithm and what is the process (Bind 9.16.11)?
More information about the bind-users